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DETAILED ACTION 

1 . This Office Action is in response to the Amendment filed on 10/576,250. 

2. In the instant Amendment, claims 1-36, 48, and 65 were cancelled; claims 37, 54, 57, 62, 
and 71-72 have been amended; and claims 37, 54, and 71-72 are independent claims. 
Claims 37-47, 49-64, and 66-72 have been examined and are pending. 

This Action is made FINAL. 



Response to Arguments 

3. The objections to claims 7 1-72 are withdrawn as the claims have been amended and 
Applicants' arguments are found persuasive. 

4. The rejection of claim 70 under 35 U.S.C. § 1 12 second paragraph is withdrawn as the 
claim has been amended and Applicants' arguments are found persuasive. 

5. The rejections of claims 54-64 and 66-69 under 35 U.S.C. § 1 12 second paragraph are 
maintained as the claims are found indefinite. Applicants' arguments in the instant 
Amendment, filed on 10/13/2011, with respect to §112, f 6, have been fully considered but 
they are not persuasive. 

a. Applicants argue: "fijn light of these amendments, these claims do not invoke 
§112, f 6." 

The Examiner disagrees with the Applicants. The Examiner respectfully submits that 
claim 54 contains means-plus function languages presumed to invoke § 1 12, f 6. The 
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claim recites limitations "said communication module being further configured for ... 

blocking, ... directing. ... and inhibiting " in lines 10-15 (emphasis added). The 

aforementioned limitations are non-structure terms (Refer to Federal Register, Vol. 76, 
No. 27, issued on February 09, 2011 for details). As the claim limitation uses a non- 
structural term (i.e., 'module'); the claimed non- structural term: (1) is preceded by 
another non-structure term (i.e., 'communication'); (2) is modified by functional 
language (i.e., blocking, directing, and inhibiting); and (3) is not modified by sufficient 
structure, material, or acts for achieving the specified function. Therefore, §112, f 6 is 
applied to the aforementioned means-plus functions. 

b. Applicants argue: "the phrase 'test system ' connote sufficient structure to one of 
ordinary sill in the art, and accordingly, §112, \ 6 does not apply to the phrase 'test 
system '. " 

The Examiner disagrees with the Applicants. The Examiner respectfully submits that 
the limitation "test system configured to " is a non- structural term (Refer to Federal 
Register, Vol. 76, No. 27, issued on February 09, 2011 and Precedential Opinion - Ex 
parte Rodriguez, October 1, 2009 for further details ) (emphasis added). In addition to 
the above, As addressed in the Federal Register, Vol. 76, No. 27, issued on February 
09, 201 1, "[f]or a computer-implemented means-plus -function claim limitation 
invoking §112, f6, the corresponding structure is required to be more than simply a 
general purpose computer or microprocessor; " "ftjhe structure corresponding to a § 
112, f 6 claim limitation for a computer-implemented function must include the 
algorithm needed to transform the general purpose computer or microprocessor 
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disclosed in the specification. The corresponding structure is not simply a general 
purpose computer by itself but the special purpose computer as programmed to 
perform the disclosed algorithm. Thus, the specification must sufficiently disclose an 
algorithm to transform a general purpose microprocessor to the special purpose 
computer" and "[a] rejection under § 112, \2 is appropriate if the specification 
discloses no corresponding algorithm associated with a computer or microprocessor. " 
Nowhere does the specification disclose corresponding algorithm to transform general 
purpose computer to the special purpose computer to perform claimed means-plus 
function recited in claims 54-64 and 66-69. Therefore, the rejections of claim 54-64 
and 66-69 under 35 U.S.C. 1 12, second paragraph is proper. 

6. Applicants' arguments in the instant Amendment, filed on 10/13/201 1, with respect to 
limitations listed below, have been fully considered but they are not persuasive. 

a. Applicants argue: Baehr and Nakae fail to disclose "in the absence of an adverse 
effect, inhibiting said test facilities from providing a response to said traffic " 

The Examiner disagrees with the Applicants. The Examiner respectfully submits that 
Nakae does disclose 'in the absence of an adverse effect, inhibiting said test facilities 
from providing a response to said traffic' (Nakae: par. 0449; when an attack has been 
detected by the decoy unit 2, the connection is immediately blocked; therefore it can be 
guaranteed that no request data thereafter including the piece of request data r(i) will 
reach the regular server). As described in par. [0449] above, 'when an attack has 
been detected by the decoy unit 2, the connection is immediately blocked. ' One of 
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ordinary skill in the art would realize that when the connection is blocked, 
communication between the decoy unit and the Internet is prohibited; therefore, 
response from the decoy unit to the Internet is also prohibited. It is clear that Nakae 
does disclose all limitations argued above. 

7. The Examiner respectfully suggests that the claim be further amended; details in the 

specification be incorporated, to distinguish the claimed invention over prior art of record. 
Should the Applicant desire an interview to further clarify the claim 
interpretation/rejections, please contact the Examiner at (571) 270 5002 to schedule an 
interview. 



Claim Rejections - 35 USC § 112 

8. The following is a quotation of the second paragraph of 35 U.S.C. 1 12: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

9. Claims 54-64 and 66-70 are rejected under 35 U.S.C. 112, second paragraph, as being 
indefinite for failing to particularly point out and distinctly claim the subject matter which 
applicant regards as the invention. 

• Regarding claims 54-56, 58, 61-63, and 67-69; claims 54-56, 58, 61-62, and 69 
recite the limitation "communication module configured for " claims 63 and 67-68 
recite the limitation "test system are configured to ..." The aforementioned limitations use 
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the phrase similar to "means for" or "step for" or a non- structural term coupled with 
functional language, but it is modified by some structure, material, or acts recited in the 
claim; (Refer to Federal RegisterWol. 76. No. 27/ February 09, 2011/Notices - page 7167). 
It is unclear whether the recited structure, material, or acts are sufficient for performing the 
claimed function because there is no corresponding algorithm disclosed in the 
specification. At most, block diagrams/flowcharts, depicted in figures 4-6, show block 
diagrams and schematic representation illustrating the operation. It is unclear as to how the 
claimed means-plus functions are performed and what corresponding structures and/or 
algorithms are utilized to perform said claimed steps. As a result, the aforementioned 
drawings do not provide sufficient structure for performing claimed functions. "If there is 
no structure in the specification corresponding to the means-plus-function limitation in the 
claims, the claims will be found invalid as indefinite. " Biomedino, LLC vs. Waters 
Technology Corp., 490 F.3d 946, 950 (Fed. Cir. 2007). 

If applicant wishes to have the claim limitation treated under 35 U.S.C. 112, sixth 
paragraph, applicant may amend the claim so that the phrase "means for" or "step for" or 
the non- structural term is clearly not modified by sufficient structure, material, or acts for 
performing the claimed function, or present a sufficient showing that the claim limitation is 
written as a function to be performed and the claim does not recite sufficient structure, 
material, or acts for performing the claimed function. 

If applicant does not wish to have the claim limitation treated under 35 U.S.C. 1 12, 
sixth paragraph, applicant may amend the claim so that it will clearly not invoke 35 U.S.C. 
1 12, sixth paragraph, or present a sufficient showing that the claim recites sufficient 
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structure, material, or acts for performing the claimed function to preclude application of 
35 U.S.C. 112, sixth paragraph. 

• Regarding claims 55-64 and 66-70; claims 55-64 and 66-70 are dependent on 
claim 54 and therefore inherit 35 U.S.C. 112 second paragraph issues of the independent 
claim. 



Claim Rejections - 35 USC § 103 

10. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 
rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

11. This application currently names joint inventors. In considering patentability of the claims 
under 35 U.S.C. 103(a), the examiner presumes that the subject matter of the various 
claims was commonly owned at the time any inventions covered therein were made absent 
any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to 
point out the inventor and invention dates of each claim that was not commonly owned at 
the time a later invention was made in order for the examiner to consider the applicability 
of 35 U.S.C. 103(c) and potential 35 U.S.C. 102(e), (f) or (g) prior art under 35 U.S.C. 
103(a). 
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12. Claims 37-39, 46-47, 49-51, 54-56, 63-64, 66-68, and 71-72 are rejected under 35 

U.S.C. 103(a) as being unpatentable over Baehr et al., (hereinafter "Baehr"), U.S. Patent 
No. 5,878,231, issued on March 02, 1999, in view of Nakae et al, (hereinafter "Nakae"), 
U.S. Patent Application Publication No. 2004/0172557, filed on August 20, 2003. 

• Regarding claim 37, Baehr discloses a method of preventing intrusion in 
communication traffic with a set of machines in a network, said traffic comprising 
communication entities (col. 5, lines 7-11; Figs. 6-7; proxy network 445 implemented on 
screening system 340), comprising the steps of: 

providing a test system (col. 5, lines 7-11; Fig. 7; the screen 340 and proxy 
network in a single unit [as a whole, known as test system]) comprising test facilities 
replicating at least one of said machines in said set (col. 4, lines 27-40 and lines 50-63; 
Figs. 5-6; proxy network may include proxy hosts representing actual hosts, and/or proxy 
hosts with unique server; proxy network 430/445 includes a virtual host mirroring (or 
acting as proxy for) each of a subset (or all) of the hosts found on the private network 330; 
col. 5, lines 7-11; Fig. 7; the proxy hosts 360-380 are emulated by the program 
instructions, so that all of the behavior of any of the actual hosts may be mimicked by a 
virtual proxy host module); 

directing at least part of said communication entities in said traffic toward said 
test system (col. 2, lines 25-36; if the packet's intended destination is a host machine on the 
private network, it may instated be sent aside to a preconfigured host machine on the proxy 
network, which executes appropriate operations that the actual host would execute; col. 4, 
lines 57-60; Figs. 4-7; when a user attempts to access a service or host of the private 
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network, the request may be shunted aside to the proxy network to either a mirroring proxy 
host or a unique proxy host; see also col. 6, lines 30-36; see also col. 10, lines 11-34); 

running said communication entities directed toward said test system [[on said 
test facilities]] to detect possibly adverse affects on said test system (col. 6, lines 30-50; 
col. 8, lines 67 to col. 9, lines 1-7; col. 9, liens 26-35; packet inspector 600 includes the 
instructions for inspecting the contents of the incoming packets based upon the criteria 
discussed above); and 

i) in the presence of an adverse effect, blocking the communication entities 
leading to said adverse effect (col. 6, lines 53-59; this is an indication that intruder may be 
attempting to breach the private network by masquerading as a trusted hot; in this case, 
the screen 340 should drop the packet without reply; col. 7, lines 16-24; packets from any 
other source will be dropped without further action; col. 7, lines 25-29; if a trace jroute 
packet is received, the packet is discarded; see also col. 10, lines 27-32), and 

ii) in the absence of an adverse effect, directing the communication entities not 
having the adverse effect to said set of machines (col. 7, lines 39-43; another action can, of 
course, be to simply pass the packet through to its destination [targeted hosts/servers]; col. 
10, lines 27-32; if the connection is not allowed, it is blocked (box 970), but otherwise, it is 
allowed, and then the method tests whether it is an initial connection (box 980) - if so, then 
at box 990 the connection is established). 

Baehr discloses running said communication entities directed toward said test 
system to detect possibly adverse effects on said test system, as recited above, but does not 
explicitly discloses running said communication entities directed toward said test system 
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on said test facilities to detect possibly adverse effects on said test system. Baehr does not 
explicitly disclose in the absence of an adverse effect, inhibiting said test facilities from 
providing a response to said traffic. 

However, in an analogous art, Nakae discloses an attack defending 
system/method including the steps of running said communication entities directed toward 
said test facilities on said test facilities to detect possibly adverse effects on said test system 
(Nakae: pars. 0126-0130; Figs. 7 and 10-11; steps A6-A8; the attack detecting section 202 
of the decoy unit 2 compares the processing status notified from the processor 201 with a 
normal operation definition to determine whether an attack exists; pars. 0153-0157; in the 
decoy unit 2, the processor 201 provides WWW services to the attack-source host 301 and 
sequentially notifies the attack detecting section 202 of the operation status such as file 
accesses and network accesses); and in the absence of an adverse effect, inhibiting said test 
facilities from providing a response to said traffic (Nakae: par. 0449; when an attack has 
been detected by the decoy unit 2, the connection is immediately blocked; therefore it can 
be guaranteed that no request data thereafter including the piece of request data r(i) will 
reach the regular server [as the connection is immediately blocked, communication from 
the decoy unit to the Internet is inhibited]). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made to combine the teaching of Nakae with the method and system 
of Baehr to include running said communication entities directed toward said test facilities 
on said test facilities to detect possibly adverse effects on said test system; and in the 
absence of an adverse effect, inhibiting said test facilities from providing a response to said 
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traffic to provide users with an attack defending system to lure suspicious packets into a 
decoy unit to detect attacks and provide appropriate action to the detected attacks (Nakae: 
pars. 0103-0104). 

• Regarding claim 38, Baehr and Nakae disclose the method of claim 37. 
Baehr further discloses said at least part of said communication entities directed 

toward said test system include communication entities from traffic bound toward said set 
of machines (Baehr: col. 6, lines 29-36; Fig. 6; when a data packet arrives from the public 
network 350 addressed to one of the hosts or server 360-380; such packet typically include 
a sources address, a destination address; see also col. 10, lines 11-18). 

• Regarding claim 39, Baehr and Nakae disclose the method of claim 37. 
Baehr and Nakae further disclose said at least part of said communication 

entities directed toward said test system include communication entities from traffic 
coming from said set of machines (Baehr: col. 8, lines 13-29; upon execution of such 
operations, a proxy host may then return a given packet to the sender, i.e. send the packet 
off with the original sender's address as the destination; that packet will then go through 
the screen 340, which will subject it to the predetermined inspection criteria, just as when 
it was first received at the screen from, for instance, public network 350; Nakae: pars. 
0509-0512; Fig. 58; the present invention is further provided with a mirroring unit 6901, 
which copies the contents of a file system from the server (for example, an FTP server 402) 
on the internal network 4 to at least the decoy unit). 
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• Regarding claim 46, Baehr and Nakae disclose the method of claim 37. 
Baehr and Nakae further disclose in the presence of said adverse effect, the step 

of subjecting to a resetting step those of said test facilities in said test system affected by 
said adverse effect (Baehr: col. 6, lines 37-67 to col. 7, lines 1-7; packet is either blocked 
or allowed depending on predetermined criteria and/or predefined table; col. 7, lines 13- 
24; actions are taken on each data packet by the screening system 340, based upon the 
foregoing criteria and the particular security protocol and level for that packet as 
determined in advance by the system administrator; Nakae: pars. 0233-0234;the defense 
rule determination section 1001 instructs the confidence management sections 502 and 701 
to reset a corresponding confidence level depending on an alert received from the decoy 
unit 2 through the control interface 106). 

• Regarding claim 47, Baehr and Nakae disclose the method of claim 37. 
Baehr further discloses the machines in said set comprise facilities exposed to 

said adverse effect as well as additional contents, comprising the step of configuring said 
test facilities in order to replicate said facilities exposed to said adverse effect in the 
machines in said set ( Baehr: col. 4, lines 33-63; a proxy network may thus include proxy 
hosts representing actual hosts, and/or proxy hosts with unique servers, in any combination 
(zero to several of each); whichever configuration is adopted, the private network 330 and 
the proxy network 430 together form a single logical or apparent network 345, i.e. a single 
apparent domain from the point of view of outsiders; see also col. 7, lines 13-24). 
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• Regarding claim 49, Baehr and Nakae disclose the method of claim 37. 
Baehr further discloses providing an in-line component ensuring said traffic with 

said set of machines (Baehr: col. 3, lines 59-64; Figs. 5-9; packet screening system 340 
and network interface 1 ); and 

providing at least one interface interfacing said in-line component with said test 
system (Baehr: col. 3, lines 59-64; Figs. 5-9; packet screening system 340 and network 
interface 2). 

• Regarding claim 50, Baehr and Nakae disclose the method of claim 49, 
comprising the step of providing feedback from said test system to said in-line component 
via said at least one interface (Baehr: col. 8, lines 5-12; the screen can store information 
about what state each packet is in, and take actions dependent upon that state; see also col. 
7, lines 55-63; packets will normally be logged in the log file storage 640 (especially failed 
attempts or requests), including whatever information the system administrator decides is 
important, such as: time of day; source and destination addresses; requested operations)). 

• Regarding claim 51, Baehr and Nakae disclose the method of claim 49. 
Baehr further discloses providing a management network for managing said test 

system (Baehr: col. 7, lines 13-24; administrator is able to select security protocol and 
predefined criteria for packet filtering/processing); and 

providing feedback from said test system to said in-line component via said 
management network (Baehr: col. 7, lines 55-63; packets will normally be logged in the 
log file storage 640 (especially failed attempts or requests), including whatever 
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informal ion I lie system administrator decides is important, such as: time of day; source and 
destination addresses; requested operations); col. 8, lines 5-12; the screen can store 
information about what state each packet is in, and take actions dependent upon that state). 

• Regarding claims 54-56, claims 54-56 are similar in scope to claims 37-39 
respectively, and are therefore rejected under similar rationale. 

• Regarding claims 63-64, claims 63-64 are similar in scope to claims 46-47 
respectively, and are therefore rejected under similar rationale. 

• Regarding claims 66-68, claims 66-68 are similar in scope to claims 49-51 
respectively, and are therefore rejected under similar rationale. 

• Regarding claim 71, claim 71 is similar in scope to claims 54-64 or 66-70, and 
is therefore rejected under similar rationale. 

• Regarding claim 72, claim 72 is similar in scope to claims 37-47 or 49-53, and 
is therefore rejected under similar rationale. 
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13. Claims 40-45, 52-53, 57-62, and 69-70 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Baehr in view of Nakae, as applied to claims 37 and 54 above, and 
further in view of Ramsey et al., (hereinafter "Ramsey"), U.S. Patent No. 7,331,061, filed 
on September 07,2001. 

• Regarding claim 40, Baehr and Nakae disclose the method of claim 37. 

Baehr and Nakae do not explicitly discloses providing a data base comprising 
patterns representative of forbidden communication entities for communication with said 
set of machines; and blocking forbidden communication entities in said traffic as identified 
by respective patterns included in said data base. 

However, in an analogous art, Ramsey discloses an integrated computer security 
management method including steps of providing a data base comprising patterns 
representative of forbidden communication entities for communication with said set of 
machines (Ramsey: col. 3, lines 35-38; col. 4, lines 43-49; col. 5, lines 38-47; col. 18, lines 
29-55; Fig. 5, wherein at least steps 542: signature match? Y/N and profile match: Y/N); 
and blocking forbidden communication entities in said traffic as identified by respective 
patterns included in said data base (Ramsey: col. 3, lines 35-38; col. 4, lines 43-49; col. 5, 
lines 38-47; col. 17, lines 20-35; Fig. 5; wherein at least steps 514/528/652: deny/reject? 
Y/N). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made to combine the teaching of Ramsey with the method and 
system of Baehr and Nakae to include steps of providing a data base comprising patterns 
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representative of forbidden communication entities for communication with said set of 
machines; and blocking forbidden communication entities in said traffic as identified by 
respective patterns included in said data base to provide user with a means for managing 
security information with parallel processing, serial processing, or singular processing by a 
firewall, and IDS, and an AVS (Ramsey: col. 2, lines 63-67). 

• Regarding claim 41, Baehr and Nakae disclose the method of claim 37. 
Baehr and Nakae do not explicitly disclose providing a further data base 
comprising patterns representative of allowed communication entities for communication 
with said set of machines; and allowing communication of allowed communication entities 
in said traffic as identified by respective patterns included in said further data base. 

However, in an analogous art, Ramsey discloses an integrated computer security 
management method including steps of providing a further data base comprising patterns 
representative of allowed communication entities for communication with said set of 
machines (Ramsey: col. 3, lines 35-38; col. 4, lines 43-49; col. 5, lines 38-47; col. 18, lines 
29-55; Fig. 5, wherein at least steps 538: compare packet/copy to IDS signature and 542: 
signature match? Y/N and profile match: Y/N); and allowing communication of allowed 
communication entities in said traffic as identified by respective patterns included in said 
further data base (Ramsey: col. 3, lines 35-38; col. 4, lines 43-49; col. 5, lines 38-47; col. 
17, lines 20-35; Fig. 5; wherein at least steps : compare packet/copy to IDS signature; 
552: trust? Y/N and 514/528/652: deny/reject? Y/N). 
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Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made to combine the teaching of Ramsey with the method and 
system of Baehr and Nakae to include steps of providing a further data base comprising 
patterns representative of allowed communication entities for communication with said set 
of machines; and allowing communication of allowed communication entities in said 
traffic as identified by respective patterns included in said further data base to provide user 
with a means for managing security information with parallel processing, serial processing, 
or singular processing by a firewall, and IDS, and an AVS (Ramsey: col. 2, lines 63-67). 

• Regarding claim 42, Baehr, Nakae, and Ramsey disclose the method of claim 

40. 

Baehr and Ramsey further disclose detecting unknown communication entities in 
said traffic as identified by respective unknown patterns not included in said data base 
(Baehr: col. 7, lines 13-29; packages from (or to) any other source (unknown source) will 
be dropped; Ramsey: Fig. 5; wherein at least step 542: 'profile match? Y/N')\ and 
directing said unknown communication entities in said traffic as identified by respective 
unknown patterns not included in said data base toward said test system to be run on said 
test facilities to detect possibly adverse effects on said test system (Baehr: col. 4, lines 57- 
60; Figs. 4-7; requests from public network will be forwarded to proxy network; see also 
col. 6, lines 30-36; Ramsey: Fig. 5; wherein at least step 542: 'profile match? Y/N'). 

• Regarding claim 43, Baehr, Nakae, and Ramsey disclose the method of claim 

42. 
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Baehr further discloses in the presence of said adverse effect, the step of adding 
to said data base the respective pattern identifying the communication entity leading to said 
adverse effect (Baehr: col. 6, lines 37-59; col. 7, lines 55-63; packets, especially failed 
at tempts or requests, are logged in the log file storage 640). 

• Regarding claim 44, Baehr, Nakae, and Ramsey disclose the method of claim 

41. 

Baehr and Ramsey further disclose detecting unknown communication entities in 
said traffic as identified by respective unknown patterns not included in said further data 
base (Baehr: col. 7, lines 13-29; unknown packets are determined by predetermined 
criteria; Ramsey: Fig. 5; wherein at least steps 512 and 552: determine if packet is 
trusted? Y/N); and 

directing said unknown communication entities in said traffic as identified by 
respective unknown patterns not included in said further data base toward said test system 
to be run on said test facilities to detect possibly adverse effects on said test system (Baehr: 
col. 4, lines 57-60; Figs. 4-7; requests from public network will be forwarded to proxy 
network; see also col. 6, lines 30-36). 

• Regarding claim 45, Baehr, Nakae, and Ramsey disclose the method of claim 

44. 

Baehr and Ramsey further disclose in the absence of said adverse effect, the step 
of adding to said further data base the respective pattern identifying the communication 
entity failing to lead to said adverse effect (Baehr: col. 7, lines 13-29; unknown packets are 
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determined by predetermined criteria; Ramsey: col. 12, lines 63-67 to col. 13, lines 1-3; 
updating IDS configuration and/or signature files). 

• Regarding claim 52, Baehr, Nakae, and Ramsey disclose the method of claim 

43. 

Ramsey further discloses providing a parallel intrusion preventing arrangement 
including a respective data base including patterns representative of respective forbidden 
communication entities for communication with a respective set of machines (Ramsey: col. 
16, lines 23-30; parallel processing occurs where the IDS 255 processes the copied packet 
while the actual packet is processed by the firewall 225); and 

in the presence of said adverse effect, transmitting to said parallel intrusion 
preventing arrangement, for inclusion in said respective data base, the respective pattern 
identifying the communication entity leading to said adverse effect (Ramsey: col. 16, lines 
23-60; decision step 512, it is determined whether a packet is 'trusted'). 

• Regarding claim 53, Baehr, Nakae, and Ramsey disclose the method of claim 

45. 

Ramsey further discloses providing a parallel intrusion preventing arrangement 
including a respective further data base including patterns representative of respective 
allowed communication entities for communication with a respective set of machines 
(Ramsey: col. 16, lines 23-30; col. 19, lines 8-34; parallel processing occurs where the IDS 
255 processes the copied packet while the actual packet is processed by the firewall 225); 
and 
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in the absence of said adverse effect, transmitting to said parallel intrusion 
preventing arrangement, for inclusion in said respective further data base, the respective 
pattern identifying the communication entity failing to lead to said adverse effect (Ramsey: 
col. 16, lines 23-60; col. 19, lines 8-34; decision step 512, it is determined whether a 
packet is 'trusted'). 

• Regarding claims 57-62, claims 57-62 are similar in scope to claims 40-45 
respectively, and are therefore rejected under similar rationale. 

• Regarding claims 69-70, claims 69-70 are similar in scope to claims 52-53 
respectively, and are therefore rejected under similar rationale. 



Conclusion 

14. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy 
as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the 
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advisory action. In no event, however, will the statutory period for reply expire later than 
SIX MONTHS from the mailing date of this final action. 

15. Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to Luu Pham whose telephone number is 571-270-5002. The examiner 
can normally be reached on Monday through Friday, 8:30 AM - 5:00 PM (EST). 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Shiferaw A. Eleni can be reached on 571-272-3867. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published 
applications may be obtained from either Private PAIR or Public PAIR. Status information 
for unpublished applications is available through Private PAIR only. For more information 
about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on 
access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866- 
217-9197 (toll-free). If you would like assistance from a USPTO Customer Service 
Representative or access to the automated information system, call 800-786-9199 (IN USA 
OR CANADA) or 571-272-1000. 



/Luu Pham/ 

Examiner, Art Unit 2437 



